3 Reasons Why Encryption Is Not as Safe as You May Believe

Encryption is a cozy word. It sounds like you’ve just hired armed guards to stand in front of your doors with instructions to attack anyone who gets within twenty meters of you. What if I told you that the security that you rely on to keep your applications and data safe is nothing more than a lock that will be outdated tomorrow? How about the fact that most service providers don’t even bother to give you transparent information about the way they handle security? There are so many reasons to tread carefully, it’s hard to condense it within any measure of words. That doesn’t mean I won’t try.

Encryption Is Unreliable

The toughest encryption today will be outrun by the weakest encryption of tomorrow. This is an inevitable reality. Of course, you don’t have to worry a whole lot about the level of encryption your service provider gives you as long as it hasn’t been solved. The word “solved” in this context means that a form of encryption has been repeatedly cracked. If your service provider encrypts your data using outdated algorithms, both you and the provider will suffer for that.

Once Government Cracks Something, Hackers Aren’t Far Behind

You probably know about SSL and rely on it on a daily basis to access Facebook and your email. Perhaps it’s also no surprise to you that the NSA has cracked RSA and SSL. This tells you something about the future. At the very least, SSL and RSA encryption will be simply outdated as hackers grab a piece of the NSA’s pie and learn how to crack their way into servers for illicit purposes. Just like companies base their designs sometimes on government work, hackers also use government surveillance as a signal booster for what they should do next.

Your Phone Is No Better Off

Who’s developing your apps? It sure isn’t Google, Microsoft, or Apple. They’re just hosting the apps on their stores. Most of the people developing apps are just people. They have either a complete lack of or an adequate amount of resources, but nowhere near the near-infinite resources that the companies I just mentioned have. This means that they can only get a certain amount of talent into the fray. Unfortunately for you, this means that the apps you download from individual developers or very small startups that have no experience in the industry are riddled with privacy issues.

Some Guidelines

If you want to stay safe, just follow these rules:

Keep an eye out for broken encryption. Search the type of encryption your service provider uses and use the term “broken.”

Don’t email something you wouldn’t like to have out in the open. Use either face-to-face conversations or video conferencing (with end-to-end encryption, of course) to speak privately.

Avoid using the same password for more than one service. This only makes a hacker’s job of destroying your identity on the web easier. Use SSO services if you’d like to better manage your passwords.

Take a long hard look at the permissions requests your apps send before you install them. This gives you an idea of how extensive the damage can be from an app that is incompetently developed.

Pay attention when a government cracks something. This is a sign that you should start avoiding that type of encryption altogether. It’s not necessarily an attempt to circumvent your government as much as it is an attempt to prevent hackers from getting ahead of you in the “cat and mouse” game.

Hopefully, you’ve gotten a little bit out of this and can understand your security situation better. If you want to contribute to this dialogue, please leave a comment below!

12 comments

Having been around it and working with it for so long, I’ve seen enough companies give their customers a false sense of security where there is much reason to worry. It just isn’t wise to rely on a service provider just because it encrypts its data. One must ask how it is encrypted and how the key is managed. Obviously, there’s also a lot of ignorance on the consumer end regarding how these algorithms work, so I have a tendency to feel a bit of compassion for them, since they’re easy to dupe into buying inferior products that can be cracked by a script kiddy in his mom’s basement.

Actually any encryption algorithm can be cracked with enough time and resources. The best you can do to protect yourself is to use strong passwords and make sure you are using at least using moderate encryption to protect your data. Whether you become a victim of a cracker or hacker really depends on the odds that you’ve been targeted. Everyone sooner or later gets targeted. Maybe you’ve had it happen already, for example, when you get an email that your email provider has detected suspicious activity and your account has been locked until your password is reset. Usually the hacker will move on to the next account belonging to someone else after attempts to access yours have failed.

Resources is the key. There are firms that appraise how much computer hardware in terms of dollars would be required to crack a given key in a specific amount of time. This isn’t a given, of course, but it’s the best scale we have to rate encryption algorithms.

LastPass presents a risk. I’d rate it a 3/10 in hackability. You’d probably want to use a service like PerfectCloud’s SmartSignin, which doesn’t store keys locally, and it uses a form of encryption that would take machines worth billions of dollars (today, of course) years to crack.

I’m still of the belief that encryption itself flags crackers that there is something worth hiding, thus something worth cracking. Never used encryption myself and never will. Also bothers me when “experts” say to change passwords often. A strong password 20 years ago is still a strong password today. Change it if you give it out or someone otherwise gets ahold of it, but just for the sake of changing it often is simply wasting your time. There’s good reasons not to use the same passwords for everything, but having a different password for every website is ridiculous. Keep your banking and professional passwords different, but who cares if someone gets a list of all the forums I contribute to? Not I says me. :)

“A strong password 20 years ago is still a strong password today.” Except that the miscreants have had 20 years to crack it. In 20 years any password and/or encryption can be cracked, especially with the help of a computer.

“who cares if someone gets a list of all the forums I contribute to?” That list is the least of your worries. If your password is compromised, your PC is compromised and can/will be turned into a zombie to help crack the passwords on my PC.